Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Understanding the contact interval values for Infranet Controller and Infranet Enforcer

0

0

Article ID: KB22199 KB Last Updated: 12 Jan 2021Version: 3.0
Summary:
This article describes the behavior of Infranet Controller contact interval values, which are configured on the Infranet Enforcer.
Symptoms:
In a UAC environment, utilizing L3 enforcement via an Infranet Enforcer (IE), the ScreenOS device, the IE initiates the control channel session via SSL to the Infranet Controller (IC) and waits for IC to initiates SSH communication channel. When both channels are established, the state on IE becomes Connected/Connected (SSL/SSH).
SSG140(M)-> get infranet controller
INSTANCE HOST Port Interface State (SSL/SSH)
==========================================================
ic6000 150.72.28.130 11122 ethernet0/0 Connected/Connected
Contact Interval: 10 seconds
Cleanup Infranet state delay: 180 seconds
Timeout Action: Close

Under certain circumstances, it may get delayed on the IC to initiate the SSH communication channel. When the SSH communication channel is not established, the state on IE remains Connected/Close (SSL/SSH).
SSG140(M)-> get infranet controller
INSTANCE HOST Port Interface State (SSL/SSH)
=======================================================
ic6000 150.72.28.130 11122 ethernet0/0 Connected/Close
Contact Interval: 10 seconds
Cleanup Infranet state delay: 180 seconds
Timeout Action: Close
When the SSH communication channel is not established within the IC contact interval, the SSL control channel will be closed.
SSG140(M)-> get infranet controller
INSTANCE HOST Port Interface State (SSL/SSH)
==================================================
ic6000 150.72.28.130 11122 ethernet0/0 Close/Close
Contact Interval: 10 seconds
Cleanup Infranet state delay: 180 seconds
Timeout Action: Close
Solution:
To avoid such a situation, IE can adjust the IC contact interval to wait for the IC to initiate SSH communication channel. The ScreenOS command is:
set infranet controller name "<IC Instance>" timeout <seconds>
By default, the IC contact interval is 10 seconds. By increasing the IC contact interval, IE will wait longer for IC to initiate the SSH communication channel. Also, the SSL reconnect interval on IE is fixed as 60 seconds.
Modification History:
2021-01-12: Added description that IE is the ScreenOS device
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search